Documentation
¶
Index ¶
- Variables
- func CrashMethodNames() []string
- func FormatMemorySegmentAddress(seg *MemorySegmentInfo) string
- func FormatPID(pid int) string
- func GetRunningPIDs() ([]int, error)
- func PermissionsToNative(perms Permissions) int
- func SegmentTypeNames() []string
- func StateNames() []string
- type CachingProcess
- type CrashMethod
- type DefaultMemoryReaderFactory
- type MemoryReader
- type MemoryReaderFactory
- type MemorySegmentInfo
- type Permissions
- type Process
- type ProcessInfo
- type SegmentType
- type State
Constants ¶
This section is empty.
Variables ¶
var ErrInvalidCrashMethod = fmt.Errorf("not a valid CrashMethod, try [%s]", strings.Join(_CrashMethodNames, ", "))
var ErrInvalidSegmentType = fmt.Errorf("not a valid SegmentType, try [%s]", strings.Join(_SegmentTypeNames, ", "))
var ErrInvalidState = fmt.Errorf("not a valid State, try [%s]", strings.Join(_StateNames, ", "))
var ErrProcIsParent = fmt.Errorf("not supported on parent")
ErrProcIsParent is returned when trying to suspend the immediate parent process. Reason for this is the assumption that the parent process always is some form of console, which needs to be running in order to handle IO.
var ErrProcIsSelf = fmt.Errorf("not supported on self")
ErrProcIsSelf is returned when trying to suspend the current process.
var PermR = Permissions{ Read: true, }
PermR is readonly Permissions.
var PermRC = Permissions{ Read: true, Write: true, COW: true, }
PermRC is the read and copy-on-write Permissions.
var PermRCX = Permissions{ Read: true, Write: true, COW: true, Execute: true, }
PermRCX is the read-execute and copy-on-write Permissions.
var PermRW = Permissions{ Read: true, Write: true, }
PermRW is the read-write Permissions.
var PermRWX = Permissions{ Read: true, Write: true, Execute: true, }
PermRWX is the read-write-execute Permissions.
var PermRX = Permissions{ Read: true, Execute: true, }
PermRX is the read-execute Permissions.
Functions ¶
func CrashMethodNames ¶
func CrashMethodNames() []string
CrashMethodNames returns a list of possible string values of CrashMethod.
func FormatMemorySegmentAddress ¶
func FormatMemorySegmentAddress(seg *MemorySegmentInfo) string
FormatMemorySegmentAddress formats the *MemorySegmentInfo.BaseAddress to a hex string with prefix '0x' and either 8 or 16 digits (based on the address value) with leading zeros.
func GetRunningPIDs ¶
GetRunningPIDs returns the PIDs of all running processes.
func PermissionsToNative ¶
func PermissionsToNative(perms Permissions) int
PermissionsToNative converts the given Permissions to the native linux representation.
func SegmentTypeNames ¶ added in v0.12.0
func SegmentTypeNames() []string
SegmentTypeNames returns a list of possible string values of SegmentType.
func StateNames ¶
func StateNames() []string
StateNames returns a list of possible string values of State.
Types ¶
type CachingProcess ¶
type CachingProcess interface {
Process
InvalidateCache()
}
CachingProcess is a Process that caches *ProcessInfo and *MemorySegmentInfo. This cache will only be updated after InvalidateCache was called.
func Cache ¶ added in v0.6.0
func Cache(proc Process) CachingProcess
func OpenProcess ¶
func OpenProcess(pid int) (CachingProcess, error)
OpenProcess opens another process.
type CrashMethod ¶
type CrashMethod int
CrashMethod selects a method to crash a process.
ENUM( createThreadOnNull )
const ( // CrashMethodCreateThreadOnNull is a CrashMethod of type CreateThreadOnNull. CrashMethodCreateThreadOnNull CrashMethod = iota )
func ParseCrashMethod ¶
func ParseCrashMethod(name string) (CrashMethod, error)
ParseCrashMethod attempts to convert a string to a CrashMethod.
func (CrashMethod) MarshalText ¶
func (x CrashMethod) MarshalText() ([]byte, error)
MarshalText implements the text marshaller method.
func (CrashMethod) String ¶
func (x CrashMethod) String() string
String implements the Stringer interface.
func (*CrashMethod) UnmarshalText ¶
func (x *CrashMethod) UnmarshalText(text []byte) error
UnmarshalText implements the text unmarshaller method.
type DefaultMemoryReaderFactory ¶
type DefaultMemoryReaderFactory struct{}
DefaultMemoryReaderFactory is the default MemoryReaderFactory.
func (*DefaultMemoryReaderFactory) NewMemoryReader ¶
func (f *DefaultMemoryReaderFactory) NewMemoryReader(proc Process, seg *MemorySegmentInfo) (MemoryReader, error)
NewMemoryReader calls NewMemoryReader.
type MemoryReader ¶
type MemoryReader interface {
io.ReadCloser
io.Seeker
}
MemoryReader provides capabilities to read and seek through another processes memory.
func NewMemoryReader ¶
func NewMemoryReader(proc Process, seg *MemorySegmentInfo) (MemoryReader, error)
NewMemoryReader creates a new MemoryReader to read the given segment of the given Process.
type MemoryReaderFactory ¶
type MemoryReaderFactory interface {
NewMemoryReader(proc Process, seg *MemorySegmentInfo) (MemoryReader, error)
}
MemoryReaderFactory is a factory for MemoryReader.
type MemorySegmentInfo ¶
type MemorySegmentInfo struct {
// ParentBaseAddress is the base address of the parent segment.
// If no parent segment exists, this is equal to the BaseAddress.
// Equivalence on windows: _MEMORY_BASIC_INFORMATION->AllocationBase
ParentBaseAddress uintptr `json:"parentBaseAddress"`
// BaseAddress is the base address of the current memory segment.
// Equivalence on windows: _MEMORY_BASIC_INFORMATION->BaseAddress
BaseAddress uintptr `json:"baseAddress"`
// AllocatedPermissions is the Permissions that were used to initially
// allocate this segment.
// Equivalence on windows: _MEMORY_BASIC_INFORMATION->AllocationProtect
AllocatedPermissions Permissions `json:"allocatedPermissions"`
// CurrentPermissions is the Permissions that the segment currently has.
// This may differ from AllocatedPermissions if the permissions where changed
// at some point (e.g. via VirtualProtect).
// Equivalence on windows: _MEMORY_BASIC_INFORMATION->Protect
CurrentPermissions Permissions `json:"currentPermissions"`
// Size contains the size of the segment in bytes.
// Equivalence on windows: _MEMORY_BASIC_INFORMATION->RegionSize
Size uintptr `json:"size"`
// RSS contains the ResidentSetSize as reported on linux, i.e.
// the amount of RAM this segment actually uses right now.
// Equivalence on windows: No equivalence, this is currently always equal to Size.
RSS uintptr `json:"rss"`
// State contains the current State of the segment.
// Equivalence on windows: _MEMORY_BASIC_INFORMATION->State
State State `json:"state"`
// Type contains the Type of the segment.
// Equivalence on windows: _MEMORY_BASIC_INFORMATION->SegmentType
Type SegmentType `json:"type"`
// File contains the path to the mapped file, or empty string if
// no file mapping is associated with this memory segment.
MappedFile fileio.File `json:"mappedFile"`
// SubSegments contains sub-segments, i.e. segment where their ParentBaseAddress
// is equal to this segments BaseAddress.
// If no such segments exist, this will be a slice of length 0.
SubSegments []*MemorySegmentInfo `json:"-"`
}
MemorySegmentInfo contains information about a memory segment.
func (*MemorySegmentInfo) CopyWithoutSubSegments ¶
func (s *MemorySegmentInfo) CopyWithoutSubSegments() *MemorySegmentInfo
CopyWithoutSubSegments creates a copy of this *MemorySegmentInfo, but the SubSegments of the returned *MemorySegmentInfo will be of length 0.
func (*MemorySegmentInfo) EstimateRAMIncreaseByScanning ¶ added in v0.9.0
func (s *MemorySegmentInfo) EstimateRAMIncreaseByScanning() uintptr
EstimateRAMIncreaseByScanning estimates the increase in RAM usage when scanning this segment. The problem arises on linux, when the kernel has not yet loaded certain pages in this segment. By scanning the segment, the kernel will load the entire segment into RAM.
func (*MemorySegmentInfo) String ¶
func (s *MemorySegmentInfo) String() string
String returns a human readable representation of the BaseAddress.
type Permissions ¶
type Permissions struct {
// Is read-only access allowed
Read bool `json:"read"`
// Is write access allowed (also true if COW is enabled)
Write bool `json:"write"`
// Is copy-on-write access allowed (if this is true, then so is Write)
COW bool `json:"COW"`
// Is execute access allowed
Execute bool `json:"execute"`
}
Permissions describes the permissions of a memory segment.
func ParsePermissions ¶
func ParsePermissions(s string) (Permissions, error)
ParsePermissions parses the string representation of a Permissions, as output by Permissions.String and returns the resulting Permissions.
Each character of the string is interpreted individually and case insensitive. A '-' is ignored, 'r' stands for read, 'w' for write, 'c' for copy-on-write, and 'e' or 'x' for execute. Any other character results in an error. The resulting Permissions is the combination of all character interpretations.
func (Permissions) EqualTo ¶
func (p Permissions) EqualTo(other Permissions) bool
EqualTo returns true if the other Permissions is exactly equal to this one.
func (Permissions) IsMoreOrEquallyPermissiveThan ¶
func (p Permissions) IsMoreOrEquallyPermissiveThan(other Permissions) bool
IsMoreOrEquallyPermissiveThan returns true if the other Permissions is equally or more permissive than this one. See IsMorePermissiveThan for more information
func (Permissions) String ¶
func (p Permissions) String() string
String returns the string representation of this Permissions.
type Process ¶
type Process interface {
io.Closer
fmt.Stringer
PID() int
Info() (*ProcessInfo, error)
Handle() interface{}
MemorySegments() ([]*MemorySegmentInfo, error)
Suspend() error
Resume() error
Crash(CrashMethod) error
}
Process provides capability to interact with or retrieve information about other processes.
type ProcessInfo ¶
type ProcessInfo struct {
PID int `json:"pid"`
Bitness arch.Bitness `json:"bitness"`
ExecutablePath string `json:"executablePath"`
ExecutableMD5 string `json:"executableMD5"`
ExecutableSHA256 string `json:"executableSHA256"`
Username string `json:"username"`
MemorySegments []*MemorySegmentInfo `json:"memorySegments"`
}
ProcessInfo represents information about a Process.
type SegmentType ¶ added in v0.12.0
type SegmentType int
SegmentType represents the type of a memory segment.
ENUM( image mapped private privateMapped )
const ( // SegmentTypeImage is a SegmentType of type Image. SegmentTypeImage SegmentType = iota // SegmentTypeMapped is a SegmentType of type Mapped. SegmentTypeMapped // SegmentTypePrivate is a SegmentType of type Private. SegmentTypePrivate // SegmentTypePrivateMapped is a SegmentType of type PrivateMapped. SegmentTypePrivateMapped )
func ParseSegmentType ¶ added in v0.12.0
func ParseSegmentType(name string) (SegmentType, error)
ParseSegmentType attempts to convert a string to a SegmentType.
func (SegmentType) MarshalText ¶ added in v0.12.0
func (x SegmentType) MarshalText() ([]byte, error)
MarshalText implements the text marshaller method.
func (SegmentType) String ¶ added in v0.12.0
func (x SegmentType) String() string
String implements the Stringer interface.
func (*SegmentType) UnmarshalText ¶ added in v0.12.0
func (x *SegmentType) UnmarshalText(text []byte) error
UnmarshalText implements the text unmarshaller method.
type State ¶
type State int
State represents the state of a memory segment.
ENUM( commit free reserve )
func ParseState ¶
ParseState attempts to convert a string to a State.
func (State) MarshalText ¶
MarshalText implements the text marshaller method.
func (*State) UnmarshalText ¶
UnmarshalText implements the text unmarshaller method.
Source Files